secrets-scan

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Secrets Scan

敏感凭证扫描

Deep detection of hardcoded credentials and sensitive data in source code.

深度检测源代码中的硬编码凭证和敏感数据。

Quick Start

快速开始

/secrets-scan                    # Scan current directory
/secrets-scan --scope src/       # Scan specific path
/secrets-scan --entropy          # Include high-entropy detection
/secrets-scan --git-history      # Check git commit history

/secrets-scan                    # 扫描当前目录
/secrets-scan --scope src/       # 扫描指定路径
/secrets-scan --entropy          # 包含高熵检测
/secrets-scan --git-history      # 检查Git提交历史

What This Skill Detects

本工具可检测的内容

High-Confidence Patterns

高置信度模式

Patterns with very low false positive rates:

Type	Pattern Example	Provider
AWS Access Key	`AKIA...` (20 chars)	AWS
AWS Secret Key	40 char base64	AWS
GitHub Token	`ghp_` , `gho_` , `ghu_` , `ghs_` , `ghr_`	GitHub
GitLab Token	`glpat-...`	GitLab
Slack Token	`xoxb-` , `xoxp-` , `xoxa-`	Slack
Stripe Key	`sk_live_` , `rk_live_`	Stripe
Twilio	`SK...` (34 chars)	Twilio
SendGrid	`SG.` followed by base64	SendGrid
Private Key	`-----BEGIN (RSA\|EC\|DSA)?PRIVATE KEY-----`	Various
Google API Key	`AIza...` (39 chars)	Google

假阳性率极低的模式：

类型	模式示例	服务商
AWS Access Key	`AKIA...` (20个字符)	AWS
AWS Secret Key	40字符base64编码	AWS
GitHub Token	`ghp_` , `gho_` , `ghu_` , `ghs_` , `ghr_`	GitHub
GitLab Token	`glpat-...`	GitLab
Slack Token	`xoxb-` , `xoxp-` , `xoxa-`	Slack
Stripe Key	`sk_live_` , `rk_live_`	Stripe
Twilio	`SK...` (34个字符)	Twilio
SendGrid	`SG.` 后接base64编码	SendGrid
私钥	`-----BEGIN (RSA\|EC\|DSA)?PRIVATE KEY-----`	多种服务商
Google API Key	`AIza...` (39个字符)	Google

Medium-Confidence Patterns

中等置信度模式

May require context validation:

Type	Pattern	Notes
Generic API Key	`api[_-]?key.=.['"][a-zA-Z0-9]{16,}`	Variable names
Generic Secret	`secret.=.['"][^'"]+`	Context needed
Password	`password.=.['"][^'"]+`	May be config
Connection String	`://[^:]+:[^@]+@`	DB credentials
Bearer Token	`Bearer [a-zA-Z0-9_-]+`	In headers/code

可能需要上下文验证：

类型	模式	说明
通用API密钥	`api[_-]?key.=.['"][a-zA-Z0-9]{16,}`	变量名称相关
通用机密信息	`secret.=.['"][^'"]+`	需要上下文判断
密码	`password.=.['"][^'"]+`	可能是配置项
连接字符串	`://[^:]+:[^@]+@`	数据库凭证
Bearer令牌	`Bearer [a-zA-Z0-9_-]+`	存在于请求头或代码中

High-Entropy Detection

高熵检测

Finds potential secrets via entropy analysis:

/secrets-scan --entropy

Detects strings with high randomness that may be:

Base64-encoded secrets
Hex-encoded tokens
Custom API key formats

通过熵分析发现潜在的机密信息：

/secrets-scan --entropy

检测具有高随机性的字符串，这些可能是：

Base64编码的机密信息
十六进制编码的令牌
自定义API密钥格式

Detection Patterns

检测模式

Cloud Provider Keys

云服务商密钥

regex

undefined

regex

undefined

AWS

AKIA[0-9A-Z]{16} # Access Key ID [A-Za-z0-9/+=]{40} # Secret Access Key (context needed)

AKIA[0-9A-Z]{16} # Access Key ID [A-Za-z0-9/+=]{40} # Secret Access Key (需上下文判断)

Azure

[a-zA-Z0-9+/=]{88} # Storage Account Key

[a-zA-Z0-9+/=]{88} # 存储账户密钥

GCP

AIza[0-9A-Za-z_-]{35} # API Key [0-9]+-[a-z0-9]{32}.apps.googleusercontent.com # OAuth Client

undefined

AIza[0-9A-Za-z_-]{35} # API密钥 [0-9]+-[a-z0-9]{32}.apps.googleusercontent.com # OAuth客户端

undefined

Version Control Tokens

版本控制令牌

regex

undefined

regex

undefined

GitHub

gh[pousr][A-Za-z0-9]{36,} # Personal/OAuth/User/Repo/App github_pat[A-Za-z0-9]{22}_[A-Za-z0-9]{59} # Fine-grained PAT

ghp_[A-Za-z0-9]{36,} # 个人/OAuth/用户/仓库/应用令牌 github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59} # 细粒度PAT

GitLab

glpat-[A-Za-z0-9-_]{20,} # Personal Access Token

glpat-[A-Za-z0-9_-]{20,} # 个人访问令牌

Bitbucket

[a-zA-Z0-9]{24} # App Password (context needed)

undefined

[a-zA-Z0-9]{24} # 应用密码(需上下文判断)

undefined

Payment & Finance

支付与金融服务

regex

undefined

regex

undefined

Stripe

sk_live_[a-zA-Z0-9]{24,} # Secret Key rk_live_[a-zA-Z0-9]{24,} # Restricted Key pk_live_[a-zA-Z0-9]{24,} # Publishable Key

sk_live_[a-zA-Z0-9]{24,} # 密钥 rk_live_[a-zA-Z0-9]{24,} # 受限密钥 pk_live_[a-zA-Z0-9]{24,} # 可发布密钥

Square

sq0[a-z]{3}-[A-Za-z0-9_-]{22,} # Access Token

sq0[a-z]{3}-[A-Za-z0-9_-]{22,} # 访问令牌

PayPal

access_token$[a-zA-Z0-9-_.]+ # OAuth Token

undefined

access_token$[a-zA-Z0-9-_.]+ # OAuth令牌

undefined

Communication Services

通信服务

regex

undefined

regex

undefined

Slack

xox[bpas]-[0-9]{10,}-[a-zA-Z0-9]{24,} # Bot/User/App Token

xox[bpas]-[0-9]{10,}-[a-zA-Z0-9]{24,} # 机器人/用户/应用令牌

Twilio

SK[a-f0-9]{32} # API Key SID [a-f0-9]{32} # Auth Token (context)

SK[a-f0-9]{32} # API密钥SID [a-f0-9]{32} # 认证令牌(需上下文)

SendGrid

SG.[a-zA-Z0-9_-]{22}.[a-zA-Z0-9_-]{43} # API Key

undefined

SG.[a-zA-Z0-9_-]{22}.[a-zA-Z0-9_-]{43} # API密钥

undefined

Database Connection Strings

数据库连接字符串

regex

undefined

regex

undefined

PostgreSQL/MySQL

(postgres|mysql|mariadb)://[^:]+:[^@]+@[^/]+/\w+

MongoDB

mongodb(+srv)?://[^:]+:[^@]+@

Redis

redis://:[^@]+@

undefined

redis://:[^@]+@

undefined

Private Keys

私钥

regex

-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

regex

-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

JWT & Session

JWT与会话

regex

eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+   # JWT

regex

eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+   # JWT

Scan Options

扫描选项

Basic Scan

基础扫描

/secrets-scan

Scans for high-confidence patterns only.

/secrets-scan

仅扫描高置信度模式。

With Entropy Analysis

包含熵分析

/secrets-scan --entropy

Adds high-entropy string detection (more findings, some false positives).

/secrets-scan --entropy

添加高熵字符串检测（发现结果更多，但存在部分假阳性）。

Specific Scope

指定扫描范围

/secrets-scan --scope src/api/
/secrets-scan --scope "*.ts"

/secrets-scan --scope src/api/
/secrets-scan --scope "*.ts"

Git History Scan

Git历史扫描

/secrets-scan --git-history
/secrets-scan --git-history --since "2024-01-01"

Scans commit history for secrets that were committed and later removed.

/secrets-scan --git-history
/secrets-scan --git-history --since "2024-01-01"

扫描提交历史中曾提交后又被移除的机密信息。

Exclude Patterns

排除模式

/secrets-scan --exclude "*.test.ts" --exclude "fixtures/"

/secrets-scan --exclude "*.test.ts" --exclude "fixtures/"

Output Format

输出格式

Finding Report

检测结果报告

SECRETS SCAN RESULTS
====================

High-Confidence Findings: 2
Medium-Confidence Findings: 5
Entropy Findings: 3

[!] CRITICAL: AWS Access Key
    File: src/config/aws.ts:15
    Pattern: AKIAIOSFODNN7EXAMPLE
    Action: Rotate immediately, check CloudTrail

[!] CRITICAL: GitHub Token
    File: .env.example:8
    Pattern: ghp_xxxx...xxxx (redacted)
    Action: Revoke token, remove from history

[H] HIGH: Database Password
    File: docker-compose.yml:23
    Pattern: password: supersecret
    Action: Use environment variable

[M] MEDIUM: Possible API Key
    File: src/services/api.ts:44
    Pattern: apiKey = "a1b2c3..."
    Context: May be test value

SECRETS SCAN RESULTS
====================

High-Confidence Findings: 2
Medium-Confidence Findings: 5
Entropy Findings: 3

[!] CRITICAL: AWS Access Key
    File: src/config/aws.ts:15
    Pattern: AKIAIOSFODNN7EXAMPLE
    Action: Rotate immediately, check CloudTrail

[!] CRITICAL: GitHub Token
    File: .env.example:8
    Pattern: ghp_xxxx...xxxx (redacted)
    Action: Revoke token, remove from history

[H] HIGH: Database Password
    File: docker-compose.yml:23
    Pattern: password: supersecret
    Action: Use environment variable

[M] MEDIUM: Possible API Key
    File: src/services/api.ts:44
    Pattern: apiKey = "a1b2c3..."
    Context: May be test value

Summary Statistics

统计摘要

Files scanned: 342
Patterns checked: 127
Time elapsed: 2.3s

By Severity:
  Critical: 2
  High: 5
  Medium: 8

By Type:
  Cloud credentials: 2
  API keys: 4
  Passwords: 3
  Private keys: 1
  Other: 5

Files scanned: 342
Patterns checked: 127
Time elapsed: 2.3s

By Severity:
  Critical: 2
  High: 5
  Medium: 8

By Type:
  Cloud credentials: 2
  API keys: 4
  Passwords: 3
  Private keys: 1
  Other: 5

False Positive Handling

假阳性处理

Common False Positives

常见假阳性情况

Example/placeholder values
- ```
AKIAIOSFODNN7EXAMPLE
```
  (AWS example)
- ```
sk_test_...
```
  (Stripe test key)
- ```
your-api-key-here
```
Test fixtures
- Mock credentials in test files
- Fixture data
Documentation
- README examples
- API documentation

示例/占位符值
- ```
AKIAIOSFODNN7EXAMPLE
```
  (AWS示例)
- ```
sk_test_...
```
  (Stripe测试密钥)
- ```
your-api-key-here
```
测试夹具
- 测试文件中的模拟凭证
- 夹具数据
文档
- README示例
- API文档

Ignore File

忽略文件

Create

.secrets-scan-ignore

undefined

创建

.secrets-scan-ignore

文件：

undefined

Ignore test fixtures

/fixtures/ /mocks/ *.test.ts *.spec.js

Ignore documentation

docs/** *.md

Ignore specific false positives

src/constants.ts:EXAMPLE_KEY

Inline ignore comment

secrets-scan-ignore: test fixture

undefined

undefined

Inline Ignore

行内忽略

javascript

// secrets-scan-ignore: example value
const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE";

javascript

// secrets-scan-ignore: example value
const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE";

Remediation Steps

修复步骤

When Secrets Are Found

发现机密信息时的操作

Immediate Actions
- Rotate the credential immediately
- Check access logs for unauthorized use
- Remove from code/config

Clean Git History

bash

# Remove secret from history
git filter-branch --force --index-filter \
  'git rm --cached --ignore-unmatch path/to/file' \
  --prune-empty --tag-name-filter cat -- --all

# Or use BFG Repo Cleaner
bfg --replace-text secrets.txt repo.git

Prevent Future Commits
- Add pre-commit hooks
- Configure secret scanning in CI

立即行动
- 立即轮换凭证
- 检查访问日志是否存在未授权使用
- 从代码/配置中移除

清理Git历史

bash

# Remove secret from history
git filter-branch --force --index-filter \
  'git rm --cached --ignore-unmatch path/to/file' \
  --prune-empty --tag-name-filter cat -- --all

# Or use BFG Repo Cleaner
bfg --replace-text secrets.txt repo.git

防止未来提交
- 添加提交前钩子
- 在CI中配置机密信息扫描

Prevention

预防措施

bash

undefined

bash

undefined

Install pre-commit hook

npx husky add .husky/pre-commit "npx secrets-scan --staged"

undefined

npx husky add .husky/pre-commit "npx secrets-scan --staged"

undefined

Integration

集成

CI/CD Pipeline

CI/CD流水线

yaml

undefined

yaml

undefined

GitHub Actions

name: Secrets Scan run: | /secrets-scan --fail-on-findings exit $?

name: Secrets Scan run: | /secrets-scan --fail-on-findings exit $?

Exit codes:

0 = No findings

1 = Findings detected

2 = Error during scan

undefined

undefined

Pre-Commit Hook

提交前钩子

bash

#!/bin/sh

bash

#!/bin/sh

.husky/pre-commit

files=$(git diff --cached --name-only) /secrets-scan --files "$files"

undefined

files=$(git diff --cached --name-only) /secrets-scan --files "$files"

undefined